From b1d9a2392884edc6135a247022d74792cb993b78 Mon Sep 17 00:00:00 2001 From: Oliver Date: Tue, 15 Oct 2024 14:50:29 +1100 Subject: [PATCH] [CUI] Fix rendering issues for barcodes (#8286) - Prevent barcode data from being "escaped" - Run through bleach to brevent malicious data injection --- .../build/templates/build/build_base.html | 3 ++- .../templates/company/supplier_part.html | 3 ++- .../order/templates/order/order_base.html | 3 ++- .../templates/order/return_order_base.html | 3 ++- .../templates/order/sales_order_base.html | 3 ++- .../part/templates/part/part_base.html | 3 ++- .../InvenTree/report/templatetags/barcode.py | 18 ++++++++++++++++++ .../stock/templates/stock/item_base.html | 3 ++- .../stock/templates/stock/location.html | 3 ++- 9 files changed, 34 insertions(+), 8 deletions(-) diff --git a/src/backend/InvenTree/build/templates/build/build_base.html b/src/backend/InvenTree/build/templates/build/build_base.html index 9b545f98b1..a1d798a5ec 100644 --- a/src/backend/InvenTree/build/templates/build/build_base.html +++ b/src/backend/InvenTree/build/templates/build/build_base.html @@ -3,6 +3,7 @@ {% load static %} {% load i18n %} {% load generic %} +{% load barcode %} {% load inventree_extras %} {% block page_title %} @@ -310,7 +311,7 @@ src="{% static 'img/blank_image.png' %}" $('#show-qr-code').click(function() { showQRDialog( '{% trans "Build Order QR Code" escape %}', - '{{ build.barcode }}' + `{% clean_barcode build.barcode %}` ); }); diff --git a/src/backend/InvenTree/company/templates/company/supplier_part.html b/src/backend/InvenTree/company/templates/company/supplier_part.html index b723f1ef8b..daf2ca99d8 100644 --- a/src/backend/InvenTree/company/templates/company/supplier_part.html +++ b/src/backend/InvenTree/company/templates/company/supplier_part.html @@ -1,6 +1,7 @@ {% extends "page_base.html" %} {% load static %} {% load i18n %} +{% load barcode %} {% load inventree_extras %} {% block page_title %} @@ -303,7 +304,7 @@ onPanelLoad('supplier-part-notes', function() { $("#show-qr-code").click(function() { showQRDialog( '{% trans "Supplier Part QR Code" escape %}', - '{{ part.barcode }}' + `{% clean_barcode part.barcode %}` ); }); diff --git a/src/backend/InvenTree/order/templates/order/order_base.html b/src/backend/InvenTree/order/templates/order/order_base.html index e8b9ce4110..2fb284d913 100644 --- a/src/backend/InvenTree/order/templates/order/order_base.html +++ b/src/backend/InvenTree/order/templates/order/order_base.html @@ -2,6 +2,7 @@ {% load i18n %} {% load static %} +{% load barcode %} {% load inventree_extras %} {% load generic %} @@ -333,7 +334,7 @@ $("#export-order").click(function() { $('#show-qr-code').click(function() { showQRDialog( '{% trans "Purchase Order QR Code" escape %}', - '{{ order.barcode }}' + `{% clean_barcode order.barcode %}` ); }); diff --git a/src/backend/InvenTree/order/templates/order/return_order_base.html b/src/backend/InvenTree/order/templates/order/return_order_base.html index 15755c4199..849a718ab3 100644 --- a/src/backend/InvenTree/order/templates/order/return_order_base.html +++ b/src/backend/InvenTree/order/templates/order/return_order_base.html @@ -2,6 +2,7 @@ {% load i18n %} {% load static %} +{% load barcode %} {% load inventree_extras %} {% load generic %} @@ -271,7 +272,7 @@ $('#print-order-report').click(function() { $('#show-qr-code').click(function() { showQRDialog( '{% trans "Return Order QR Code" escape %}', - '{{ order.barcode }}' + `{% clean_barcode order.barcode %}` ); }); diff --git a/src/backend/InvenTree/order/templates/order/sales_order_base.html b/src/backend/InvenTree/order/templates/order/sales_order_base.html index 987b2e49d2..cda2a5c659 100644 --- a/src/backend/InvenTree/order/templates/order/sales_order_base.html +++ b/src/backend/InvenTree/order/templates/order/sales_order_base.html @@ -2,6 +2,7 @@ {% load i18n %} {% load static %} +{% load barcode %} {% load inventree_extras %} {% load generic %} @@ -337,7 +338,7 @@ $('#print-order-report').click(function() { $('#show-qr-code').click(function() { showQRDialog( '{% trans "Sales Order QR Code" escape %}', - '{{ order.barcode }}' + `{% clean_barcode order.barcode %}` ); }); diff --git a/src/backend/InvenTree/part/templates/part/part_base.html b/src/backend/InvenTree/part/templates/part/part_base.html index 1d19f557fe..010683cc79 100644 --- a/src/backend/InvenTree/part/templates/part/part_base.html +++ b/src/backend/InvenTree/part/templates/part/part_base.html @@ -2,6 +2,7 @@ {% load static %} {% load i18n %} +{% load barcode %} {% load inventree_extras %} {% block sidebar %} @@ -458,7 +459,7 @@ $("#show-qr-code").click(function() { showQRDialog( '{% trans "Part QR Code" escape %}', - '{{ part.barcode|safe }}', + `{% clean_barcode part.barcode %}` ); }); diff --git a/src/backend/InvenTree/report/templatetags/barcode.py b/src/backend/InvenTree/report/templatetags/barcode.py index 85aeed953f..8b32576f5e 100644 --- a/src/backend/InvenTree/report/templatetags/barcode.py +++ b/src/backend/InvenTree/report/templatetags/barcode.py @@ -1,6 +1,7 @@ """Template tags for rendering various barcodes.""" from django import template +from django.utils.safestring import mark_safe import barcode as python_barcode import qrcode.constants as ECL @@ -26,6 +27,23 @@ def image_data(img, fmt='PNG'): return report.helpers.encode_image_base64(img, fmt) +@register.simple_tag() +def clean_barcode(data): + """Return a 'cleaned' string for encoding into a barcode / qrcode. + + - This function runs the data through bleach, and removes any malicious HTML content. + - Used to render raw barcode data into the rendered HTML templates + """ + from InvenTree.helpers import strip_html_tags + + cleaned_date = strip_html_tags(data) + + # Remove back-tick character (prevent injection) + cleaned_date = cleaned_date.replace('`', '') + + return mark_safe(cleaned_date) + + @register.simple_tag() def qrcode(data, **kwargs): """Return a byte-encoded QR code image. diff --git a/src/backend/InvenTree/stock/templates/stock/item_base.html b/src/backend/InvenTree/stock/templates/stock/item_base.html index 05544a9ebb..4179bed59f 100644 --- a/src/backend/InvenTree/stock/templates/stock/item_base.html +++ b/src/backend/InvenTree/stock/templates/stock/item_base.html @@ -3,6 +3,7 @@ {% load plugin_extras %} {% load inventree_extras %} {% load generic %} +{% load barcode %} {% load i18n %} {% load l10n %} @@ -530,7 +531,7 @@ $('#stock-edit-status').click(function () { $("#show-qr-code").click(function() { showQRDialog( '{% trans "Stock Item QR Code" escape %}', - '{{ item.barcode }}', + `{% clean_barcode item.barcode %}` ); }); diff --git a/src/backend/InvenTree/stock/templates/stock/location.html b/src/backend/InvenTree/stock/templates/stock/location.html index a2e34576ee..76b254f4d6 100644 --- a/src/backend/InvenTree/stock/templates/stock/location.html +++ b/src/backend/InvenTree/stock/templates/stock/location.html @@ -1,5 +1,6 @@ {% extends "stock/stock_app_base.html" %} {% load static %} +{% load barcode %} {% load inventree_extras %} {% load plugin_extras %} {% load i18n %} @@ -391,7 +392,7 @@ $('#show-qr-code').click(function() { showQRDialog( '{% trans "Stock Location QR Code" escape %}', - '{{ location.barcode }}' + `{% clean_barcode location.barcode %}` ); });